diff --git a/flake.nix b/flake.nix index e5bfe8ea..a9484a72 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,6 @@ , nixos-generators , nur , attic - , microvm , ... }@inputs: let diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 6a655146..e00f4e79 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -34,6 +34,8 @@ enableUserServices = true; }; + security.polkit.enable = lib.mkDefault true; + # Nix Settings nix = { registry.nixpkgs.flake = inputs.nixpkgs; @@ -74,9 +76,6 @@ nixpkgs.config.allowUnfree = true; - nixpkgs.config.permittedInsecurePackages = - [ "nodejs-16.20.2" "nodejs-14.21.3" "openssl-1.1.1w" ]; - # Limit the systemd journal to 100 MB of disk or the # last 7 days of logs, whichever happens first. services.journald.extraConfig = '' diff --git a/nixos/common/users/default.nix b/nixos/common/users/default.nix index d1f0b821..92842a20 100644 --- a/nixos/common/users/default.nix +++ b/nixos/common/users/default.nix @@ -1,32 +1,37 @@ { config, pkgs, lib, ... }: { imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ]; + programs = { - # Setup ZSH to use grml config - programs.zsh = { - enable = true; - enableCompletion = true; - syntaxHighlighting.enable = true; - interactiveShellInit = '' - source "${pkgs.grml-zsh-config}/etc/zsh/zshrc" - export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow" - source "${pkgs.fzf}/share/fzf/key-bindings.zsh" - source "${pkgs.fzf}/share/fzf/completion.zsh" - eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" - ''; - # otherwise it'll override the grml prompt - promptInit = ""; + # Setup ZSH to use grml config + zsh = { + enable = true; + enableCompletion = true; + syntaxHighlighting.enable = true; + autosuggestions.enable = true; + interactiveShellInit = '' + source "${pkgs.grml-zsh-config}/etc/zsh/zshrc" + export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow" + source "${pkgs.fzf}/share/fzf/key-bindings.zsh" + source "${pkgs.fzf}/share/fzf/completion.zsh" + eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" + ''; + # otherwise it'll override the grml prompt + promptInit = ""; + }; + + # Install Neovim and set it as alias for vi(m) + neovim = { + enable = true; + viAlias = true; + vimAlias = true; + defaultEditor = true; + }; + + tmux.enable = true; }; environment.pathsToLink = [ "/share/zsh" ]; - # Install Neovim and set it as alias for vi(m) - programs.neovim = { - enable = true; - viAlias = true; - vimAlias = true; - defaultEditor = true; - }; - # Disable sudo prompt for `wheel` users. security.sudo.wheelNeedsPassword = lib.mkDefault false; @@ -41,15 +46,15 @@ # Setup packages available everywhere environment.systemPackages = with pkgs; [ + file fzf git htop ncdu psmisc + helix ripgrep rsync - tmux zoxide - tmux ]; } diff --git a/nixos/hosts/hades/attic/configuration.nix b/nixos/hosts/hades/attic/configuration.nix index 7b088d38..27aff095 100644 --- a/nixos/hosts/hades/attic/configuration.nix +++ b/nixos/hosts/hades/attic/configuration.nix @@ -26,10 +26,7 @@ in { ensureDatabases = [ "atticd" ]; ensureUsers = [{ name = "atticd"; - ensurePermissions = { - "DATABASE atticd" = "ALL PRIVILEGES"; - "schema public" = "ALL"; - }; + ensureDBOwnership = true; }]; }; diff --git a/nixos/hosts/hades/bastion/configuration.nix b/nixos/hosts/hades/bastion/configuration.nix index ab13ad55..4ad48e76 100644 --- a/nixos/hosts/hades/bastion/configuration.nix +++ b/nixos/hosts/hades/bastion/configuration.nix @@ -5,16 +5,7 @@ programs.mosh.enable = true; environment.systemPackages = with pkgs; [ - cachix - clang - direnv - git-crypt - nix-update - pinentry-curses - ripgrep - rsync rustup - tmux vault ]; diff --git a/nixos/hosts/hades/immich/configuration.nix b/nixos/hosts/hades/immich/configuration.nix index 4434cf27..fc5d4946 100644 --- a/nixos/hosts/hades/immich/configuration.nix +++ b/nixos/hosts/hades/immich/configuration.nix @@ -7,8 +7,7 @@ let # https://github.com/immich-app/immich/releases # version = "1.55.1"; dataDir = "/var/lib/immich"; -in -{ +in { imports = [ ]; # This value determines the NixOS release from which the default @@ -22,31 +21,32 @@ in # Additional packages environment.systemPackages = with pkgs; [ ]; - - # TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich fileSystems."/mnt/storage" = { device = "storage:/mnt/storage"; fsType = "nfs"; }; - - # Unused uid/gid snagged from this list: - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix - ids.uids.immich = 911; - ids.gids.immich = 911; - - users.groups.photos = {}; - - users.users.immich = { - isSystemUser = true; - group = "photos"; - description = "Immich daemon user"; - home = dataDir; - uid = config.ids.uids.immich; + ids = { + # Unused uid/gid snagged from this list: + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix + uids.immich = 911; + gids.immich = 911; }; + users = { + groups = { + photos = { }; + immich = { gid = config.ids.gids.immich; }; + }; - users.groups.immich = { gid = config.ids.gids.immich; }; + users.immich = { + isSystemUser = true; + group = "photos"; + description = "Immich daemon user"; + home = dataDir; + uid = config.ids.uids.immich; + }; + }; # Postgres database configuration services.postgresql = { @@ -56,7 +56,7 @@ in ensureUsers = [{ name = "immich"; - ensurePermissions = { "DATABASE immich" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; }]; ensureDatabases = [ "immich" ]; diff --git a/nixos/hosts/hades/lucy/configuration.nix b/nixos/hosts/hades/lucy/configuration.nix index 0cee71ff..5b1e9118 100644 --- a/nixos/hosts/hades/lucy/configuration.nix +++ b/nixos/hosts/hades/lucy/configuration.nix @@ -49,17 +49,21 @@ in { allowedTCPPorts = [ 25565 ]; }; - users.extraUsers.laura.extraGroups = [ "wheel" ]; - users.groups.mc = { }; + users = { + groups.mc = { }; + extraUsers = { + laura.extraGroups = [ "wheel" ]; - users.extraUsers.julia = { - isNormalUser = true; - shell = pkgs.zsh; + julia = { + isNormalUser = true; + shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch" - ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch" + ]; - extraGroups = [ "mc" "wheel" ]; + extraGroups = [ "mc" "wheel" ]; + }; + }; }; } diff --git a/nixos/hosts/hades/mastodon/configuration.nix b/nixos/hosts/hades/mastodon/configuration.nix index c797a129..4dde8175 100644 --- a/nixos/hosts/hades/mastodon/configuration.nix +++ b/nixos/hosts/hades/mastodon/configuration.nix @@ -2,19 +2,94 @@ let vs = config.vault-secrets.secrets; cfg = config.services.mastodon; -in -{ +in { system.stateVersion = "21.05"; # Use DHCP with static leases networking.interfaces.eth0.useDHCP = true; # Better cache hits environment.noXlibs = lib.mkForce false; + services = { + elasticsearch = { + enable = true; + cluster_name = "mastodon-es"; + package = pkgs.elasticsearch7; + }; - services.elasticsearch = { - enable = true; - cluster_name = "mastodon-es"; - package = pkgs.elasticsearch7; + postgresql = { + enable = true; + package = pkgs.postgresql_16; + settings = { + shared_preload_libraries = "pg_stat_statements"; + "pg_stat_statements.track" = "all"; + "pg_stat_statements.max" = 10000; + track_activity_query_size = 2048; + }; + # The rest of the database setup is handled by mastodon + }; + + mastodon = { + enable = true; + package = pkgs.v.glitch-soc; + streamingProcesses = 3; + webPort = 55001; + enableUnixSocket = false; + localDomain = "xirion.net"; + trustedProxy = "192.168.0.122"; + mediaAutoRemove = { + enable = true; + olderThanDays = 30; + startAt = "daily"; + }; + + configureNginx = false; + + redis.createLocally = true; + + elasticsearch = { + host = "127.0.0.1"; + inherit (config.services.elasticsearch) port; + }; + + database.createLocally = true; + + smtp = { + createLocally = false; + fromAddress = "mastodon@xirion.net"; + host = "mail.0x76.dev"; + user = "mastodon@xirion.net"; + authenticate = true; + port = 587; + passwordFile = "${vs.mastodon}/smtp-password"; + }; + + extraConfig = { + BIND = "0.0.0.0"; + SINGLE_USER_MODE = "false"; + EMAIL_DOMAIN_ALLOWLIST = "xirion.net"; + DEFAULT_LOCALE = "en"; + + WEB_DOMAIN = "fedi.xirion.net"; + ALTERNATE_DOMAINS = "meowy.tech"; + + SMTP_AUTH_METHOD = "plain"; + SMTP_OPENSSL_VERIFY_MODE = "none"; + + RAILS_SERVE_STATIC_FILES = "false"; + + AUTHORIZED_FETCH = "true"; + + # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md; + # https://shivering-isles.com/Mastodon-and-Amazon-S3 + S3_ENABLED = "true"; + S3_REGION = "hades"; + S3_BUCKET = "mastodon"; + S3_ENDPOINT = "http://garage.hades:3900"; + S3_ALIAS_HOST = "fedi-media.xirion.net"; + + DEEPL_PLAN = "free"; + }; + }; }; vault-secrets.secrets.mastodon = { @@ -31,82 +106,6 @@ in EOF ''; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - settings = { - shared_preload_libraries = "pg_stat_statements"; - "pg_stat_statements.track" = "all"; - "pg_stat_statements.max" = 10000; - track_activity_query_size = 2048; - }; - # The rest of the database setup is handled by mastodon - }; - - services.mastodon = { - enable = true; - package = pkgs.v.glitch-soc; - streamingProcesses = 3; - webPort = 55001; - enableUnixSocket = false; - localDomain = "xirion.net"; - trustedProxy = "192.168.0.122"; - mediaAutoRemove = { - enable = true; - olderThanDays = 30; - startAt = "daily"; - }; - - configureNginx = false; - - redis.createLocally = true; - - elasticsearch = { - host = "127.0.0.1"; - inherit (config.services.elasticsearch) port; - }; - - database.createLocally = true; - - smtp = { - createLocally = false; - fromAddress = "mastodon@xirion.net"; - host = "mail.0x76.dev"; - user = "mastodon@xirion.net"; - authenticate = true; - port = 587; - passwordFile = "${vs.mastodon}/smtp-password"; - }; - - extraConfig = { - BIND = "0.0.0.0"; - SINGLE_USER_MODE = "false"; - EMAIL_DOMAIN_ALLOWLIST = "xirion.net"; - DEFAULT_LOCALE = "en"; - - WEB_DOMAIN = "fedi.xirion.net"; - ALTERNATE_DOMAINS = "meowy.tech"; - - SMTP_AUTH_METHOD = "plain"; - SMTP_OPENSSL_VERIFY_MODE = "none"; - - RAILS_SERVE_STATIC_FILES = "false"; - - AUTHORIZED_FETCH = "true"; - - # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md; - # https://shivering-isles.com/Mastodon-and-Amazon-S3 - S3_ENABLED = "true"; - S3_REGION = "hades"; - S3_BUCKET = "mastodon"; - S3_ENDPOINT = "http://garage.hades:3900"; - S3_ALIAS_HOST = "fedi-media.xirion.net"; - - DEEPL_PLAN = "free"; - }; - }; - - networking.firewall = - let cfg = config.services.mastodon; - in { allowedTCPPorts = [ cfg.webPort ]; }; + networking.firewall = let cfg = config.services.mastodon; + in { allowedTCPPorts = [ cfg.webPort ]; }; } diff --git a/nixos/hosts/hades/nginx/configuration.nix b/nixos/hosts/hades/nginx/configuration.nix index 87341d93..713011d2 100644 --- a/nixos/hosts/hades/nginx/configuration.nix +++ b/nixos/hosts/hades/nginx/configuration.nix @@ -12,8 +12,7 @@ let proxyWebsockets = true; }; }; -in -{ +in { imports = [ ]; # This value determines the NixOS release from which the default @@ -46,22 +45,25 @@ in "xirion.net" = { enableACME = true; forceSSL = true; - locations."/".extraConfig = '' - add_header Content-Type 'text/html; charset=UTF-8'; - return 200 'Hello, World!'; - ''; + locations = { + "/".extraConfig = '' + add_header Content-Type 'text/html; charset=UTF-8'; + return 200 'Hello, World!'; + ''; - # Mastodon federation - locations."= /.well-known/host-meta".extraConfig = '' - return 301 https://fedi.xirion.net$request_uri; - ''; - locations."/.well-known/webfinger".extraConfig = '' - add_header Access-Control-Allow-Origin '*'; - return 301 https://fedi.xirion.net$request_uri; - ''; + # Mastodon federation + "= /.well-known/host-meta".extraConfig = '' + return 301 https://fedi.xirion.net$request_uri; + ''; + "/.well-known/webfinger".extraConfig = '' + add_header Access-Control-Allow-Origin '*'; + return 301 https://fedi.xirion.net$request_uri; + ''; + }; }; - "peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already! + "peepeepoopoo.xirion.net" = proxy + "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already! "plex.xirion.net" = { # Since we want a secure connection, we force SSL diff --git a/nixos/hosts/hades/rtorrent/configuration.nix b/nixos/hosts/hades/rtorrent/configuration.nix index af10331c..3c8afc6a 100644 --- a/nixos/hosts/hades/rtorrent/configuration.nix +++ b/nixos/hosts/hades/rtorrent/configuration.nix @@ -2,13 +2,40 @@ let vs = config.vault-secrets.secrets; in { imports = [ ./rtorrent.nix ]; + networking = { + interfaces.eth0.useDHCP = true; + firewall = { + allowedTCPPorts = [ config.services.rtorrent.port ]; + allowedUDPPorts = [ config.services.rtorrent.port ]; + }; - networking.interfaces.eth0.useDHCP = true; + wg-quick.interfaces = let + postUpScript = pkgs.writeScriptBin "post_up" '' + #!${pkgs.stdenv.shell} + ${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1 + ${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1 + ''; + in { + wg0 = { + address = + [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ]; + mtu = 1320; + dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ]; + privateKeyFile = "${vs.rtorrent}/wireguardKey"; + postUp = "${postUpScript}/bin/post_up || true"; + + peers = [{ + publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "europe3.vpn.airdns.org:1637"; + presharedKeyFile = "${vs.rtorrent}/presharedKey"; + persistentKeepalive = 15; + }]; + }; + }; + }; system.stateVersion = "22.05"; - networking.firewall.allowedTCPPorts = [ config.services.rtorrent.port ]; - networking.firewall.allowedUDPPorts = [ config.services.rtorrent.port ]; - fileSystems."/mnt/storage" = { device = "storage:/mnt/storage"; fsType = "nfs"; @@ -22,32 +49,4 @@ in { }; vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; }; - - networking.wg-quick.interfaces = - let - postUpScript = pkgs.writeScriptBin "post_up" '' - #!${pkgs.stdenv.shell} - ${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1 - ${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1 - ''; - in - { - wg0 = { - address = [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ]; - mtu = 1320; - dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ]; - privateKeyFile = "${vs.rtorrent}/wireguardKey"; - postUp = "${postUpScript}/bin/post_up || true"; - - peers = [ - { - publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "europe3.vpn.airdns.org:1637"; - presharedKeyFile = "${vs.rtorrent}/presharedKey"; - persistentKeepalive = 15; - } - ]; - }; - }; } diff --git a/nixos/hosts/olympus/bastion/configuration.nix b/nixos/hosts/olympus/bastion/configuration.nix index 40d78ead..9540561b 100644 --- a/nixos/hosts/olympus/bastion/configuration.nix +++ b/nixos/hosts/olympus/bastion/configuration.nix @@ -2,36 +2,13 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, ... }: -let - fix-vscode = pkgs.writeScriptBin "fix-vscode" '' - #!${pkgs.stdenv.shell} - # Check if vscode-server dir exists - if [[ -d "$HOME/.vscode-server/bin" ]]; then - # For every bin folder within - for versiondir in "$HOME"/.vscode-server/bin/*; do - # Remove bundled node (dynamic links are borked for nix) - rm "$versiondir/node" - # symlink node form the nixpkg - ln -s "${pkgs.nodejs-16_x}/bin/node" "$versiondir/node" - done - fi - ''; -in -{ +{ pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; - # This _should_ fix vscode errors as well programs.nix-ld.enable = true; - # environment.variables = { - # NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ - # pkgs.stdenv.cc.cc - # ]; - # # NIX_LD = lib.fileContents "${pkgs.stdenv.cc}/nix-support/dynamic-linker"; - # }; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; @@ -48,22 +25,7 @@ in virtualisation.podman.enable = true; # Additional packages - environment.systemPackages = with pkgs; [ - binutils - fix-vscode - fluxcd - k9s - kubectl - kubectx - nix-prefetch-git - nixpkgs-fmt - nixpkgs-review - ripgrep - rsync - tmux - vault - vim - ]; + environment.systemPackages = with pkgs; [ vault ]; programs.gnupg.agent = { enable = true; diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix index 2ca6d0ef..282f8ade 100644 --- a/nixos/hosts/olympus/dex/configuration.nix +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -33,10 +33,7 @@ in { ensureDatabases = [ db_name ]; ensureUsers = [{ name = db_user; - ensurePermissions = { - "DATABASE ${db_name}" = "ALL PRIVILEGES"; - "schema public" = "ALL"; - }; + ensureDBOwnership = true; }]; }; diff --git a/nixos/hosts/olympus/hedgedoc/configuration.nix b/nixos/hosts/olympus/hedgedoc/configuration.nix index 4525e08a..76defb5e 100644 --- a/nixos/hosts/olympus/hedgedoc/configuration.nix +++ b/nixos/hosts/olympus/hedgedoc/configuration.nix @@ -32,7 +32,7 @@ in ensureDatabases = [ db_name ]; ensureUsers = [{ name = db_user; - ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; }]; }; diff --git a/nixos/pkgs/glitch-soc/source.nix b/nixos/pkgs/glitch-soc/source.nix index c866b06b..9fc7000d 100644 --- a/nixos/pkgs/glitch-soc/source.nix +++ b/nixos/pkgs/glitch-soc/source.nix @@ -11,7 +11,7 @@ in rev = "v${version}"; hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ="; }; - patches = patches ++ []; + inherit patches; }) // { inherit version; yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk=";